From a769269c58161b90f83f878d4c1dc68f4b39571e Mon Sep 17 00:00:00 2001 From: huyz Date: Sat, 11 Mar 2023 20:33:51 -0800 Subject: [PATCH] Add role sudo_by_ssh_agent --- CHANGELOG.rst | 2 + README.md | 10 +++-- changelogs/changelog.yaml | 4 ++ .../2023-03-09_sudo_by_ssh_agent.yml | 2 + .../fragments/2023-03-09_v1.0.3_summary.yml | 1 + roles/sudo_by_ssh_agent/README.md | 28 +++++++++++++ roles/sudo_by_ssh_agent/tasks/main.yml | 41 +++++++++++++++++++ 7 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml create mode 100644 roles/sudo_by_ssh_agent/README.md create mode 100644 roles/sudo_by_ssh_agent/tasks/main.yml diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9b73ad0..08fc0f9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,12 +13,14 @@ Release Summary | Release Date: 2023-03-09 | Initial release of the password_prompt role +| Initial release of the sudo_by_ssh_agent role Major Changes ------------- - prompt_password - initial commit +- sudo_by_ssh_agent - initial commit v1.0.2 ====== diff --git a/README.md b/README.md index b5020a5..d84f2ab 100644 --- a/README.md +++ b/README.md @@ -11,11 +11,15 @@ This Ansible collection contains roles for general use. Roles: - `huyz.general.add_to_config_file` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/add_to_config_file/README.md)) - - Function: Safely insert a block into one or more shell config files - - Use case: Mainly intended to be re-used by other roles + - Function: Safely insert a block into one or more shell config files. + - Use case: Mainly intended to be re-used by other roles. - `huyz.general.prompt_password` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/prompt_password/README.md)) - Function: Prompts for the `ansible_password` if not defined. - - Use case: Avoid the need to call `ansible-playbook` with `--ask-pass` and `--ask-become-pass` + - Use case: Avoid the need to call `ansible-playbook` with `--ask-pass` and `--ask-become-pass`. +- `huyz.general.sudo_by_ssh_agent` ([README](https://github.com/huyz/ansible-collection-huyz-general/blob/master/roles/sudo_by_ssh_agent/README.md)) + - Function: Configures sudo to use the `libpam-ssh-agent-auth` package and + authorize the provided ssh key. + - Use case: Avoid the need to authenticate with a password to run privileged commands. --- diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml index 241b7e4..2897b4a 100644 --- a/changelogs/changelog.yaml +++ b/changelogs/changelog.yaml @@ -17,12 +17,16 @@ releases: changes: major_changes: - prompt_password - initial commit + - sudo_by_ssh_agent - initial commit release_summary: '| Release Date: 2023-03-09 | Initial release of the password_prompt role + | Initial release of the sudo_by_ssh_agent role + ' fragments: - 2023-03-09_prompt_password.yml + - 2023-03-09_sudo_by_ssh_agent.yml - 2023-03-09_v1.0.3_summary.yml release_date: '2023-03-09' diff --git a/changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml b/changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml new file mode 100644 index 0000000..b496c4f --- /dev/null +++ b/changelogs/fragments/2023-03-09_sudo_by_ssh_agent.yml @@ -0,0 +1,2 @@ +major_changes: + - sudo_by_ssh_agent - initial commit diff --git a/changelogs/fragments/2023-03-09_v1.0.3_summary.yml b/changelogs/fragments/2023-03-09_v1.0.3_summary.yml index bbba6dc..ea6930c 100644 --- a/changelogs/fragments/2023-03-09_v1.0.3_summary.yml +++ b/changelogs/fragments/2023-03-09_v1.0.3_summary.yml @@ -1,3 +1,4 @@ release_summary: | | Release Date: 2023-03-09 | Initial release of the password_prompt role + | Initial release of the sudo_by_ssh_agent role diff --git a/roles/sudo_by_ssh_agent/README.md b/roles/sudo_by_ssh_agent/README.md new file mode 100644 index 0000000..4cd6fb2 --- /dev/null +++ b/roles/sudo_by_ssh_agent/README.md @@ -0,0 +1,28 @@ +# Ansible role: huyz.general.sudo_by_ssh_agent + +Configures sudo to use the `libpam-ssh-agent-auth` package and authorize the +provided ssh key. + +## Installation + +This repo uses the FQCN convention. + +Include the collection in the Ansible Galaxy `requirements.yml`: + +```shell +--- +collections: + - name: huyz.general +``` + +You can then include the role `huyz.general.sudo_by_ssh_agent`. + +## Example + +```yaml + - name: Authorize sudo by ssh agent + ansible.builtin.include_role: + name: huyz.general.sudo_by_ssh_agent + vars: + pub_files_for_sudo: ['~/.ssh/id_ed25519-vip.pub'] +``` diff --git a/roles/sudo_by_ssh_agent/tasks/main.yml b/roles/sudo_by_ssh_agent/tasks/main.yml new file mode 100644 index 0000000..b10cab5 --- /dev/null +++ b/roles/sudo_by_ssh_agent/tasks/main.yml @@ -0,0 +1,41 @@ +# Requires vars: +# - pub_files_for_sudo: list of full path of the public keys to use for sudo +--- +- name: Ensure libpam-ssh-agent-auth package + ansible.builtin.package: + name: libpam-ssh-agent-auth + become: true + +- name: Add to sudo authorized_keys the content of {{ pub_files_for_sudo }} + ansible.posix.authorized_key: + user: root # dummy + key: "{{ lookup('file', item) }}" + path: /etc/security/authorized_keys + manage_dir: false + become: true + loop: "{{ pub_files_for_sudo }}" + +# Per https://www.lorier.net/docs/ssh-agent-sudo.html +- name: Enable pam_ssh_agent_auth for sudo + ansible.builtin.blockinfile: + dest: /etc/pam.d/sudo + marker: "# {mark} ANSIBLE MANAGED BLOCK: {{ block_id }}" + insertbefore: "@include common-auth" + block: | + # Allow sudo by ssh agent + auth sufficient pam_ssh_agent_auth.so file=/etc/security/authorized_keys + vars: + block_id: sudo_by_ssh_agent + become: true + +# Per https://www.lorier.net/docs/ssh-agent-sudo.html +- name: Preserve SSH_AUTH_SOCK for sudo + ansible.builtin.blockinfile: + dest: /etc/sudoers + marker: "# {mark} ANSIBLE MANAGED BLOCK: {{ block_id }}" + insertafter: '#Defaults:%sudo env_keep \+= "SSH_AGENT_PID SSH_AUTH_SOCK"' + block: | + Defaults:%sudo env_keep += "SSH_AGENT_PID SSH_AUTH_SOCK" + vars: + block_id: sudo_by_ssh_agent + become: true